What is a “Sextortion” Email Scam?

“Sextortion” email scams are a form of “social engineering” designed to trick or entice a user into: clicking on a link, installing mal-ware, paying a ransom, or other behavior (that a victim would not typically engage in without interference). Why do we refer to this as a form of “social engineering”? Because arguably the purpose of the “sextortion” portion of the content is to use fear (manipulation) to shock or trick a person into clicking on a link or taking other action.

A recent “sextortion” email example that came across my desk can be summarized as follows: “We (the sender of this mail) have a web cam video of you engaging in an particular act while watching on-line pornography. If you don’t believe that we really have this video, click this link to watch the video for yourself.” Clicking the link of course delivers ransom-ware or other viral payload to one’s computer, or worse.

Another recent “sextortion” scam sent users a decade old password in the e-mail (used to shock user into thinking the threat is real: in reality is typically a once legitimate vendor password exposed via a past data breach) and told users that if they did not pay a bit-coin ransom the illicit video would be sent to all the user’s e-mail contacts. It should go without saying that none of these scammers really have a video of the user watching porn.

We must all be on guard in order to prevent damage to our systems from these malicious actors (typically individuals, small teams, or organized crime located in the third world); as they will no doubt continue to evolve their tactics. A rule of thumb I often repeat to all who will listen is: “If one finds themselves squinting at a mail in wonder, trying to determine if it is legitimate….it is not”. Delete or otherwise verify all suspicious mails before clicking on included links. When in doubt, feel free to forward to our team for further analysis.

Our computers and mobile devices find resources on the Internet using a naming system we call DNS (Domain Name System).DNS converts the names we humans use to browse the web (ex. www.AVAREN.com) and converts them to the IP addresses our computers use to communicate with each other over a network or the Internet (ex. 127.0.0.1). In the 2000’s some innovative software developers determined that it would make sense to intercept the outbound requests (DNS) our devices perform, and check those requests against a list of known “bad neighborhoods” on the Internet; preventing computer users from accessing websites and servers known to be harmful or unauthorized.

Leap forward 10 to 15 years and we now have well refined commercially available DNS security solutions that can be used at home or work. At work, we currently use Cisco Umbrella (formerly Open DNS) which gives us granular reporting capabilities on the traffic emitted by devices and networks. On the home front, two options are available and can be used for free.

FamilyShield DNS protection (includes porn blocker) can be enabled for every device on a network simply by making the FamilyShield DNS server addresses the primary DNS forwarders on your home router. If your router allows you to change the primary DNS server values, simply plug in the values below for immediate protections:

208.67.222.123 (resolver1-fs.opendns.com)

208.67.220.123 (resolver2-fs.opendns.com)

Every device behind a router thus configured will now be much more secure and protected from malware, ransom-ware, and more; but will also make it harder for kids to get to inappropriate sites. After signing up with your e-mail address at FamilyShield (free) one can gain some degree of visibility into the requests emanating from a network if desired.

The other option for free home use also would ideally entail changing the DNS forwarder values on your router, although this option only protects against malware (no porn blocker). These DNS server values (use two or more) are as follows:

208.67.222.222 (resolver1.opendns.com)

208.67.220.220 (resolver2.opendns.com)

208.67.222.220 (resolver3.opendns.com)

208.67.220.222 (resolver4.opendns.com)

Updated values for any of these servers can always be found at the OpenDNS or FamilyShield websites, and well as the Open DNS Wikipedia article.

For businesses we require a greater degree of transparency into the granular flows of device and network traffic, not to mention the ability to shape traffic flows to the taste of the business owner; so we manage the commercial Cisco Umbrella service on behalf of our clients. Cisco Umbrella is the most highly developed and flexible solution of its kind currently on the market. It is occasionally necessary for us to “whitelist” or allow traffic to addresses the filter typically blocks (a feature not available in the free versions). We can also deploy protections on roaming clients (laptops) with the commercial version.

Implementing a DNS security solution of this kind at either home or work and can go a long way towards cutting down on unwanted computer and device infections. Considering that these protections can be enabled at home for free (with limitations), is there really any reason not to have it enabled? If you need help getting this or other solutions correctly configured for your business, please call us today (214-379-4200).

Occasionally it can become necessary to transmit confidential information (such as account user-names and passwords) to co-workers or family members via electronic means. Because of concerns related to account hacking and ghosting (ghosting being where a hacker compromises and then monitors a communications band such as e-mail looking for more credentials), some thought should be given to how we go about transmitting this information to others.As there are typically three vital pieces of information associated with any account (vendor name, user-name, password), it becomes important to refrain from using the same “communications band” to transmit all three bits of information for any given account. “Out of band” communication thus would be any communication mechanism other than your primary mechanism, or another besides the one you are already using. So if you are on the phone, transmit at least one piece of account info using a different method. Here are some further tips for consideration.

Avoid using the same password at multiple vendors. Doing so can lead to multiple accounts being compromised at once.

If you are conversing about a vendor’s logon over a voice line, one could verbally transmit the user-name while using another method to transmit the password (SMS text, Skype, Microsoft Teams, WhatsApp, etc.).

If you are conversing via text message (or other program) and have already referenced the user-name, one could verbally transmit or use an alternate application (Voice, WhatsApp, MS Teams, etc.) to transmit the password.

Consider deleting historical records of password transmissions (text messages or e-mails containing this information). Should a person’s phone or e-mail become compromised, we wouldn’t want this information in plain text (allowing anyone with access the ability to search through our records).

Utilizing the concept of “out of band” communication when transmitting multiple pieces of sensitive information gets easier with practice, but unfortunately is a must given current Internet security concerns. I am aware of at least one recent example where a mailbox was compromised and the hacker searched the mailbox for other user/pass combos. Thus keeping all three pieces of this vendor information together in clear text in one’s Outlook could cause major trouble if an account became subject to ghosting for example. Storing this information securely in a well-engineered application designed specifically for this purpose (such as LastPass, Dashlane, Keeper, or Passportal) is becoming essential. Feel free to call us for more information if you would like to begin using such a system at your business.

Email scammers never seem to rest when looking for ways to bypass business spam filters. Sometimes their intent is to encrypt files while holding them for ransom ($$), other times their intent is to simply wreak havoc. Either way, computer users today must be adept at spotting and avoiding fake or scam emails. In this article we are going to analyze a fake shipping notification purportedly sent from DHL.

Employed within the scam mail (shown below) is the typical URL bait and switch trick. In other words an unsuspecting user might believe that the links in this e-mail would take them to a legitimate DHL website where they could follow-up on this notice, further investigating its cause, etc. However when one mouses over the links in this e-mail, they do not point to an address related to DHL but instead link to what appears to be a fake multimedia company’s website in Zaire.

(Click on the image to enlarge)

What are some of the red flags that this is a scam email? The first noticeable item is that the originating domain name purports to be “shippingexpress.com” instead of a DHL related domain name. ShippingExpress.com happens to be a domain name that is currently for sale (and thus not currently functional) by a company called AfterNic. The next item of interest is that the subject wording is too verbose and at odds with the content of the e-mail. Next, the word “POST” appears in all caps within the middle of the first sentence of the email. I think it safe to say that DHL proper would have taken the time to correct such an oversight on one of their most heavily utilized forms. There are also numerous other grammatical errors within the text of the e-mail.

Lastly, and mentioned earlier, when one “mouses over” the links within the e-mail they would actually take a person to a page on a website in Zaire. This technique of “mousing over” links in emails to verify the URL in question before actually clicking on the link, is a trick that should be employed by every computer user at every company before any e-mail link is “clicked on”. Again I must stress, this step must be performed on any link within any e-mail that a person intends to click on.

Needless to say this particular e-mail contains a wealth of clues that one could use to determine it is a scam before actually clicking on any of the links. A rule of thumb I often share with users is this: “If one must squint at an e-mail in wonder while determining if it is valid; this is your first clue that the e-mail is fraudulent (and any links or attachments within it must not be executed.)” Stated more succinctly, “If you find yourself wondering if an e-mail is valid…there is a 95+% chance that it is not.”

Be on the lookout for these and other scam “emails” that could contain virus related or other malicious payloads. Should you have questions or wish to seek additional confirmation about any particular email, feel free to send it to us for further investigation. When in doubt – delete, call the sender to verify, or forward to AVAREN support. The consequences of executing malicious payloads via scam mails can cost a business thousands of dollars in lost revenue, lost productivity, and repair bills.

No matter how great the spam filter a business employs, the occasional malicious email will still make it through to end users. A decent analogy might be that of a battle of tug-o-war between good and bad actors. The bad actors develop a new kind of spam intended to fool the spam filters, while the good actors work to build adaptive systems or otherwise tweak the filter to keep the bad actors at bay. In this article we will discuss a textbook example of the type of malicious e-mail that can occasionally make it through a filter. Take a look at the image below as it displays a number of red flags users should be aware of:

(Click on the image to enlarge)

The e-mail purports to be from someone in Norway (.no)?This begs the question, “it is reasonable to expect e-mails from Norway at our business?”

When one “mouses over” the included link, the URL displayed behind the link appears to be an Iranian (.ir) domain name. Always be sure to “mouse over” links in e-mails to see the URL that is displayed before committing to clicking on the link.

Use of the word “Kindly” begs the question, “When is the last time a business associate in your universe of contacts began an email with this word?” Odd use of the language is always a red-flag.

Next let’s take a look at the signature included in the mail (see image below):

(Click on the image to enlarge)

First we see that “Matthew” has included two salutations: both “Thanks” and “Kind Regards”. While by no means a giveaway unto itself, it is yet another red flag to add to the growing list of others.

The e-mail body and signature are using two different font colors. Again while not a giveaway, it may be an indication that this e-mail was put together by a programmer using code; as compared to an organically and personally derived e-mail.

Why is Matthew’s name in all caps while the rest of the e-mail seemingly respects rules for capitalization? Is this normally seen within e-mail signatures? Another indication that the e-mail might be computer generated and populated by a database engine instead of organically derived.

Would we expect (at our business) unsolicited e-mail attachments from a person with an overseas phone number?In this case the number appears to be from Karauli (NW Central India).

We can see that after a bit of analysis it become clear (multiple red flags) that this example e-mail is fraudulent, and the link undoubtedly contains malicious code that could harm our systems. A rule of thumb I often share with users is this: “If one must squint at an e-mail in wonder while determining if it is valid; this is your first clue that the e-mail is fraudulent (and any links or attachments within it must not be executed.)” Stated more succinctly, “If you are wondering if an e-mail is valid…it’s probably not.”

Be on the lookout for these and other “emails” that may contain malicious payloads. Should you have any doubts or wish to seek additional confirmation, feel free to send the e-mails to AVAREN for verification. When in doubt – delete, call the person to verify, or forward to AVAREN. The consequences of executing payloads in malicious mails can cost a business days or weeks of productivity, and many thousands of dollars in lost revenues and repair bills.

The invoice below was sent in by a client for verification. Although it looks very much like like an invoice; if one reads the fine print it becomes clear that it is actually a solicitation for a website listing on a relatively obscure internet directory. The internet directory in question appears to be operated by the same group that mailed the invoiced.

If one goes to the URL for the internet directory (http://domainlistings.directory), one can find lists of people in one’s own town that seemingly unwittingly sent in payment for this un-needed service. In my case I looked up Arlington, a fairly large city. The directory only had 3 restaurant listings within all of Arlington. This then begs the questions, who is looking at this directory, and why does it cost $228 for an annual listing? The answers to these questions seem obvious.

This mailed-in invoice is thus for an over-priced service that apparently few people utilize. It is likely to have little to no bearing on one’s Google results for example.

Be on the lookout for these and other “invoices” for unnecessary services and either send them to us for verification or put them in the shredder. Should our (AVAREN’s) customers ever have doubts about any technology related invoice; they are free to call us, or proactively forward these invoices to AVAREN for further examination.

Which Type of Microsoft Office Should a Business Buy Today?

Last update – 9/7/18

Office Home & Business Retail

($229/Approx)

Office 365 “Business Plus” Subscription

($9.95/Mo)*

Email Registration Requirement

Changes to the e-mail registration requirement for retail purchases of the Office suite have made managing the licensing for fleets of machines unwieldy. The issue pertains to being compelled to tie every retail license to a specific e-mail address. This requirement makes managing the retail licenses harder than necessary, especially when employee turnover occurs. This (e-mail) registration requirement is what forced us initially to re-evaluate this situation.

Cost Analysis

At a cursory glance (from a cost perspective alone) it may seem that the outright retail purchase of the Office suite could make sense, but this is only true for a fixed period of time between 24 and 60 months which I will explain.

Microsoft typically supports business applications for 10 years, however businesses should likely be upgrading their Office applications in the neighborhood of every 3-5 years, largely because of reasons surrounding interoperability with other applications and underlying operating system, as well as interoperability with other teams, clients, vendors, etc.

Thus when doing a cost analysis (assuming a user would get a new retail copy of the Office suite every 5 years) the only period of time in which it could be argued that outright purchases of retail licenses make more sense is between months 24 and 60. During the first 24 months or after 60 months, the cost to the business is roughly the same.

New Features

The new subscription packages host a plethora of new features that don’t exist in the retail version. These include:

No need for (20X larger) outright purchase.

Web accessible version of the Office suite that can be used when traveling or not on your own device.

1 terabyte of cloud storage accessible from any of your devices.

Subscription model allows each user up to 5 installations on a variety of devices.

Continuously access latest versions of the Office suite.

No obligation, can cancel a subscription at any time

Up to Five Installations for the Price of One

With a single monthly subscription a user can install the Office suite on up to 5 separate devices (work and home machines, laptop, mobile devices, etc.) This is a real game changer. Thus when considering the situation in its totality, it would seem that there is no longer any justification for groups (that expect to remain in business) to continue to support or purchase the retail version of Microsoft Office.

With the cost being roughly the same over a period of years, the lack of a long term commitment, the elimination of the management headaches associated with the retail licenses, the subscription model being more feature rich and convenient in a multitude of ways, and the fact that you get up to 5 installs for the price of 1 with the subscription; Microsoft has changed the playing field enough so that in most situations and for most businesses, the subscription model now makes the most sense.

Be On The Alert for Bogus Software Retailers

There are now unscrupulous retailers infiltrating the online shopping areas of most of the major search engines. These companies appear to be legitimate, have tons of great reviews (bogus or only exist for a short period of months into the past), etc; but their prices are too good to be true when compared to that of large legitimate well known retailers. It turns out what these criminals are doing (from overseas generally) is they are selling Microsoft Developer Network demo licenses that will activate often for a limited period of time but were not intended for retail sale. We’ve had customers purchase these licenses only to have to purchase them again from legitimate retailers. If it is too good to be true, etc. Like a ponzi scheme, these unscrupulous retailers eventually disappear once the complaints start stacking up, they then re-invent themselves under a new brand name and start the scam all over again.

– For businesses with needs beyond the basic suite included in the “Business Plus” plan (Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Word), a number of other extended suites are available.

4 Types of Social Engineering Used Every Day

Article by Calyptix Security. August 28th, 2017

Persuasion is part of life. We all try to persuade friends and loved ones to act in a certain way, usually with the best of intentions. Social engineering is when “persuasion” takes a darker turn. In a broad sense, it includes any action that attempts to influence a person to act against their best interests. Technically, acts that influence people to behave within their own interests is also social engineering. However, the term is used almost exclusively within the context of fraud, scams, and cyber crime. Con artists are master social engineers. So are modern hackers who rely on spam and phishing — and they have a few new tricks up their sleeves.

Social Engineering Tactics

Below we describe some of the most common social engineering tactics used today in cyber crime. In the real world, cyber attacks do not fit into neat categories. Instead, each is unique, often combining multiple channels and tactics. While categorization is helpful to understand the nature of the beast, remember that many of these tactics will overlap in the wild.

Impersonation

Impersonation is one of the most common types of social engineering. Obviously, it’s when an attacker presents himself or his communication as originating from another party. Attackers routinely impersonate authority figures – such as police officers or CEOs – knowing many people are quick to follow orders from authority, as has been proven in psychological experiments. Many other roles are impersonated: lottery officials, wireless service reps, government officials, coworkers, family members – the list is nearly infinite.

Remote tech support scams

Phone scams are nearly as old as telephones. In a typical scam, the attacker calls the victim, poses as someone else, and uses a false pretense to con the victim into sending payment. In recent years, the tactics have been used for cyber crime. Tech support scams are a common example. The attacker calls posing as an employee from Apple, Dell, or Microsoft and claims the victim has a malware infection or other tech problem. Rather than conning the victim into sending payment, the attacker walks them through the steps to allow a connection to their computer through a remote desktop app. You can hear examples of these calls in this article from Wired. Once attackers are in, they do as they please, typically installing ransomware. Some attackers take a multi-pronged approach. Posing as the IRS, one group called victims and demanded either payment or computer access immediately.

Emergency email from the boss

Business email compromise (BEC) scams – which have accelerated in recent years – are an example of impersonation used to devastating effect. In a typical BEC scam, the attacker has intimate knowledge of the target business, including who is authorized to send wire transfers and how the transfers are initiated. The attacker targets this person, sending them an email purporting to be from their boss (either by compromising or spoofing the boss’ email). The email requests a large wire transfer to the attacker’s account. The email is crafted to mimic prior wire requests. It may also inject a sense of urgency, which is a common marketing technique, by adding “I need this handled ASAP.”

I was recently contacted (via an online platform) by a person I had known for close to 30 years. He was telling me about a HUD program where citizens could apply to receive cash (up to 150,000), and were not obligated to pay it back. I was puzzled as on the one hand this sounded like a scam (HUD does not give money to individuals), on the other hand it was coming from an account that had to be legitimate. The account had far too much personal information (personal pictures, etc.) that scammers would not have had or known about. The account had a long history of posts, etc.

After thinking about it for a moment, the only logical conclusion was that the person’s previously legitimate account had been compromised. Presumably a brute force password cracking script was used to pound the login screen of the online system until they got lucky; or even more popular now, hackers like to trade lists of people’s prior passwords that were previously compromised in large scale data breaches like those at Equifax, LinkedIn.com, etc.

Takeaways?

If you receive odd requests from seemingly legitimate accounts, the person’s account has likely been compromised. Find a different method of contacting them (text or e-mail for example) to let them know.

Never use the same password on multiple important websites (especially finance related, banks, etc.)

If you are using passwords on financial websites that you have used for a very long time or have used at other websites, consider changing them and making them more difficult.

If you are an existing (or potential) AVAREN business customer and suspect you have been contacted by a scammer, feel free to forward the information to us for further analysis. 214-379-4200

]]>Should You Pay Invoices from IDNS?https://www.avaren.com/should-you-pay-invoices-from-idns/
Tue, 14 Aug 2018 23:25:25 +0000https://www.avaren.com/?p=3746The post Should You Pay Invoices from IDNS? appeared first on AVAREN IT.
]]>

IDNS is a supposed technology company that sends businesses unsolicited invoices (they refer to them as only as notifications although they look like an invoice) for domain registrations and other services. The invoiced services (example shown below) are overpriced and often for domains that the targeted company has not previously purchased (or would not have purchased if left to their own devices).

Let’s say your business uses a domain/URL of ABCPestControl.com. IDNS might send your business a “notification” to renew this domain, even though IDNS is not the registrar your business originally used to acquire the domain name. IDNS also enjoys sending businesses “notifications” for domains (or permutations of their domains) that aren’t used or needed (such as .net and .org).

When read carefully, IDNS’ ‘notifications’ technically state that you will be transferring your domain to IDNS should you pay their bill; and therefore are skirting the edge of the law in regards to these unsolicited invoices. They aren’t technically breaking any laws and cannot therefore be referred to as a ‘scam’; but ‘scam’ is nonetheless the first word that pops into my mind when considering how they function. It is my opinion that IDNS hopes that people will pay the invoices without confirming that they need to be paid. In fact, a quick search of the internet turns up many countless examples of people inadvertently paying IDNS. This is a testament to how confusing these ‘notifications’ are designed to be.

Unless your company is already doing business with IDNS (not advisable considering the nature of their operation), their notifications/invoices should go into the shredder after alerting your internal Accounts Payable staff. Should our (AVAREN’s) customers ever have doubts about any technology related invoice; they are free to call us, or proactively forward these invoices to AVAREN for further examination.